On Mon, Jun 01, 2020 at 04:15:22PM +0200, Greg KH wrote: > On Mon, Jun 01, 2020 at 05:05:19PM +0300, Kirill A. Shutemov wrote: > > On Mon, Jun 01, 2020 at 01:07:24PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > > > > > The patch below does not apply to the 4.4-stable tree. > > > If someone wants it applied there, or to any other stable or longterm > > > tree, then please email the backport, including the original git commit > > > id to <stable@xxxxxxxxxxxxxxx>. > > > > Please don't. > > > > The patch known to cause trouble and going to be effectively reverted: > > > > https://lore.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz > > Oops, I ment to say that 6988f31d558a ("mm: remove VM_BUG_ON(PageSlab()) > from page_mapcount()") did not apply to the 4.4 tree and needs a working > backport. > > I put in the wrong id as that is the commit that 6988f31d558a fixes. > > So, if you could provide a working backport, that would be wonderful. The patch below should do. I've dropped the comments. They are not relevant for v4.4. >From e0568884b6bab1658d4e97d38b22b25c2e6eddeb Mon Sep 17 00:00:00 2001 From: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx> Date: Wed, 27 May 2020 22:20:47 -0700 Subject: [PATCH] mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() Replace superfluous VM_BUG_ON() with comment about correct usage. Technically reverts commit 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()"), but context lines have changed. Function isolate_migratepages_block() runs some checks out of lru_lock when choose pages for migration. After checking PageLRU() it checks extra page references by comparing page_count() and page_mapcount(). Between these two checks page could be removed from lru, freed and taken by slab. As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount(). Race window is tiny. For certain workload this happens around once a year. page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) ------------[ cut here ]------------ kernel BUG at ./include/linux/mm.h:628! invalid opcode: 0000 [#1] SMP NOPTI CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G W 4.19.109-27 #1 Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019 RIP: 0010:isolate_migratepages_block+0x986/0x9b0 The code in isolate_migratepages_block() was added in commit 119d6d59dcc0 ("mm, compaction: avoid isolating pinned pages") before adding VM_BUG_ON into page_mapcount(). This race has been predicted in 2015 by Vlastimil Babka (see link below). [akpm@xxxxxxxxxxxxxxxxxxxx: comment tweaks, per Hugh] Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()") Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Acked-by: Hugh Dickins <hughd@xxxxxxxxxx> Acked-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> Acked-by: Vlastimil Babka <vbabka@xxxxxxx> Cc: David Rientjes <rientjes@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Link: http://lkml.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz Link: https://lore.kernel.org/lkml/557710E1.6060103@xxxxxxx/ Link: https://lore.kernel.org/linux-mm/158937872515.474360.5066096871639561424.stgit@buzz/T/ (v1) Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> --- include/linux/mm.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 69fa3df9e712..03cf5526e445 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -446,7 +446,6 @@ static inline void page_mapcount_reset(struct page *page) static inline int page_mapcount(struct page *page) { - VM_BUG_ON_PAGE(PageSlab(page), page); return atomic_read(&page->_mapcount) + 1; } -- Kirill A. Shutemov
